» ISP News » 
Sponsored Links

New Exploit Attacks UK Routers and Runs Up Mobile Data Bills

Thursday, Jul 14th, 2022 (7:57 am) - Score 4,776
security of broadband isp routers

Some customers of business-focused UK mobile data (broadband) operator Anvil Mobile have been hit by a new exploit, which hijacks end-user routers and then proceeds to spew out cyber-attacks. The result is a compromised network and large data bill, but customers on other operators may also be affected.

Anvil is an operator that typically offers business grade mobile data and fixed IP services via Three UK, Vodafone, EE and O2 (VMO2) as part of multiple MVNO agreements, which is rather different from the single-operator MVNO arrangements that we often see from more familiar consumer brands.

However, the operator recently came to our attention for a very different reason, which began after ISPreview.co.uk was informed by customers that Anvil had begun sending out notification emails about an “Overuse Issue” on some accounts. The email claims that “all networks” are reporting that, since 4th July 2022, there has been a “spate of cyber-attacks” that have exploited flaws in “older firmware versions of several popular routers.”


The exploit, which Anvil rather annoyingly fails to identify, then goes on to compromise the customer’s router. After that, the router becomes a source of “automated attacks and web scraping across many services on the internet“. Not only does this compromise the customer’s network, but it can also run up a large data bill, as confirmed by one of the affected customers.

Anvil correctly points out that this is “not a network or SIM issue and the overuse will be billable (monthly in arrears),” although thankfully the operator is currently being very proactive in notifying customers who they believe may have been compromised. Sadly, not all operators are quite as proactive.

The operator also warned that those with compromised routers (usually third-party devices) could find their SIM being suspended, which may occur if the attack traffic from their connection results in abuse reports (broadband ISPs sometimes do this too) or the customer is in danger of running up a huge / abnormal data bill.

Extract from Anvil’s Message

As we have noted that your SIM has an excessive increase in data use recently we are highlighting the potential for your device to have been compromised, if you are not aware of any reason for the increased usage we strongly urge you to pass on the following information to your engineers or whoever is responsible for your SIM hardware to take the following measures to ensure the security of your device.

➤ Factory reset and upgrade your router to the latest firmware version.

➤ Set up the router again ensuring that any unused ports or services are closed/disabled.

➤ Check any connected devices such as laptops or PC’s for malware/ viruses.

➤ If possible set up IP whitelisting to ensure only approved hosts can access the router.

If we receive notification to our abuse email regarding a SIM attacking servers or any other malicious activity we will immediately have no option but to suspend the SIM and inform you to stop any additional usage as this results in large invoices due to the volume of traffic.

If you are at all concerned or would like the SIM suspended pre-emptively so you can check the device/ perform the steps above please don’t hesitate to contact us.

Naturally, we attempted to contact Anvil about all this, but they’ve yet to respond to our email. However, the only notable router-targetting malware that we’re aware of as being very active since early July 2022 is the highly sophisticated ZuoRAT (likely developed by a state sponsored actor), which is known to target small office / home office (SOHO) routers.


The aforementioned malware is a multistage remote access trojan (RAT) that grants an attacker the ability to pivot into the local network and gain access to additional systems on the Local Area Network (LAN) by hijacking network communications to maintain an undetected foothold. Once exploited, the malware can capture packets being transmitted on the router and stage man-in-the-middle attacks through DNS and HTTPS hijacking.

Some of the known vulnerabilities associated with this malware, focusing on how it accesses routers to spread the RAT, include: CVE-2020-26878 and CVE-2020-26879. Both of which were first discovered in 2020, which may explain the earlier reference by Anvil to older firmware. Numerous SOHO router manufacturers have kit that could be exposed to this if not updated, including ASUS, Cisco, DrayTek and NETGEAR.

Some people may also be using re-branded versions of the aforementioned router brands, which is why it’s wise check that you’re on the latest firmware, even if you don’t think you’re unaffected by this. If you fear that your router has been compromised, a simple restart of the infected device should remove the initial ZuoRAT exploit, but only a factory reset will fully clear it, and you’ll then need to update the firmware to avoid reinfection.

I must stress that we don’t yet know if the issue being experienced by Anvil’s customers is indeed ZuoRAT, but from the description they’ve given, and the timeline, it does sound likely.


Share with Twitter
Share with Linkedin
Share with Facebook
Share with Reddit
Share with Pinterest
By Mark Jackson
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and .
Search ISP News
Search ISP Listings
Search ISP Reviews
3 Responses
  1. Avatar photo Ethel Prunehat says:

    WirelessLogic, who are a similar outfit to Anvil by the looks of things, sent out a similar warning to customers last week.

  2. Avatar photo Rich says:

    Hm, this sounded like a product I’d be interested in for work, but they have no pricing on their website for connectivity insisting I fill in forms to be spammed by their sales vultures at a later date.

    Really don’t understand why companies do this. It drives customers away.

  3. Avatar photo A_Builder says:

    The really interesting thing is the ‘attack’

    I mean the attack does attack anything but drives up the data bill so calling attention to the penetration…..

    You wouldn’t do that if you had carefully captured a bot army would you? You might do it if you wanted users to take action.

    Might be a benign actor forcing compromised devices offline by hitting monthly billing limits?

    Given that these devices will be controlling / monitoring remote units: substations, wiers, pumping stations. In fact any bit of infrastructure where you cannot get a fixed broadband line and don’t need too much bandwidth….

Comments are closed

Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
Gift: None
NOW £25.00
Gift: None
Virgin Media UK ISP Logo
Virgin Media £26.00
Gift: None
Vodafone UK ISP Logo
Vodafone £26.50 - 27.00
Gift: None
Plusnet UK ISP Logo
Plusnet £27.99
Gift: None
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
Gift: None
BeFibre UK ISP Logo
BeFibre £19.00
Gift: None
Community Fibre UK ISP Logo
Gift: None
YouFibre UK ISP Logo
YouFibre £22.99
Gift: None
Hey! Broadband UK ISP Logo
Gift: None
Large Availability | View All
The Top 15 Category Tags
  1. FTTP (5712)
  2. BT (3565)
  3. Politics (2598)
  4. Openreach (2341)
  5. Business (2322)
  6. Building Digital UK (2275)
  7. FTTC (2060)
  8. Mobile Broadband (2038)
  9. Statistics (1829)
  10. 4G (1723)
  11. Virgin Media (1673)
  12. Ofcom Regulation (1491)
  13. Fibre Optic (1424)
  14. Wireless Internet (1417)
  15. FTTH (1383)

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms , Privacy and Cookie Policy , Links , Website Rules , Contact